For any number of reasons, the need to verify authenticity of e-mail message senders cannot be understated. Such authentication needs to provide an alert when identification information of a sending entity designated in an e-mail message cannot be authenticated. Examples of sender identification information provided in an e-mail message includes, but is not limited to, a sending entity's name, logo, audible sound, etc. While it would be useful to know who is the entity sending fraudulent and malicious e-mail messages, there is tremendous value in simply knowing that the sender identification information provided in an e-mail message has passed or failed a trusted authentication process. Similarly, there is value in knowing that an e-mail message sender has or has not been successfully authenticated even though the authentication does not identify the person or entity sending a fraudulent or malicious e-mail message.
The lack of an effective and practical means for providing such e-mail message authentication has lead to rapid growth of the criminal activities such as, for example, “phishing”. In phishing, a criminal typically sends an email to a recipient under the guise that the e-mail message has been sent from a reputable and/or trusted entity such as, for example, a financial institution, an on-line service provider or the like. The e-mail message entices the recipient to reply with confidential information (e.g., via a link to a fraudulent website where confidential information can be entered). If obtained, the criminal uses the confidential information to compromise a corresponding account or accounts of the e-mail message recipient. Examples of the confidential information include, but are not limited to, information used for accessing a bank account, an investment account, an on-line payment service account, an on-line auction account or the like. With this information, the criminal typically steals funds from a corresponding account or uses such account information to facilitate financial scams against other persons or entities using the identity of the recipient. Unfortunately, phishing is a large and growing problem, with phishing techniques becoming stealthier as often as each week.
With respect to authentication of an e-mail message sender, one known solution is Sender Policy Framework (SPF). SPF attempts to confirm that an email message came from a machine that is designated as being allowed to send email messages from that domain. Unfortunately, there is no check for the legitimacy of the domain. So, anyone can register a domain like ‘x-company-special-on-TV.com’ and claim to be sending email messages from x-company.
Hoax e-mail messages represent another situation in which it would be beneficial to authenticate the sender of email messages. For example, many hoax emails are purported to be from an authoritative source, whereas they are obviously not. But, there is currently no way for the recipient of an e-mail message to effectively and practically authenticate the sender identity. Denials from the actual authoritative source rarely manage to suppress these hoax e-mail messages.
Unsolicited mass e-mailings, also generally referred to as “Spam”, are widespread. Despite all of the attempts at controlling Spam, its rate of occurrence continues to increase and is now estimated to make up a large majority of all email messages. Accordingly, there is clearly a need to reduce the frequency and quantity of Spam. Furthermore, it is not surprising that these unsolicited mass e-mailings typically have header information falsely indicating that the e-mail messages are from legitimate and/or trusted entities. Authentication of header information would provide a means for limiting the amount of Spam that a person receives, in addition to limiting the potential for being the subject of associated fraudulent activity such as phishing.
Fraudulent webpages are often set-up and often used to support phishing activities initiated via e-mail messages. These fraudulent websites appear to be that of a trusted institution, but are actually set-up for the specific purpose of committing criminal activities. Accordingly, there is great value in verifying an entity that is in control of the webpage and/or website.
Like e-mail messages and webpages, Instant Messaging (IM) systems are yet another network-based communication approach where criminal or deceitful activity is typically perpetrated though the use of a false identity. Authentication of an IM screen name designated as the sender of an IM message is desirable, as is authentication that the IM screen name is from a particular institution. Without such authentication, confidential information can be readily compromised, directly or indirectly, through communications using IM.
Presently, there are no complete and/or effective solutions for authenticating an entity purported to be responsible for providing an e-mail message, a website/webpage and/or an Instant Messaging (IM) message to a recipient. As such, phishing, Spam and other types of criminal and deceitful activities based on falsified identity information and committed over data communication networks continues to persist and grow. There are a number of pieces to solutions or partial solutions that are related to the solving the problems of such criminal and deceitful activities based on falsified identity information, but which in fact do not fully solve or adequately address these problems.
One known solution that attempts to confirm that a webpage is coming from the actual owner of a corresponding URL (Uniform Resource Locator) is the Domain Name System (DNS) in combination with SSL/TLS (Secure Socket Layer/Transport Layer Security) protocol, which is also known as HTTPS (i.e., HyperText Transport Protocol with SSL protection). Unfortunately, several factors conspire to make such a solution inadequate. One factor that makes this known solution less than effective is that many companies use multiple domain names and these domain names come and go with no consistent rules. For example, x-company may register “x-company” in all the important top-level domains (e.g., x-company.com, x-company.net, x-company.org, etc) and also in each country domain (e.g., x-company.ca, etc). However, for a special promotion, x-company may have the x-company-TV.com domain name, but not the x-company-TV.ca domain name. This means consumers can be easily confused when presented with the domain names: x-companyTV.com, x-company-TV-special.com, etc. Another factor that makes this known solution less than effective is that companies often have subsidiaries and other corporate entities, which are created with little fanfare. It is difficult for the average consumer to keep track of all these domain names. Still another factor that makes this known solution less than effective is that there are often multiple companies that legitimately have the same name. The most frequent case is where the two companies operating in different jurisdiction. The DNS ownership model is essentially first come-first serve, with a dispute resolution mechanism in place. So, it is essentially impossible for consumers to know which of the multiple entities owns the “most obvious” domain name, or that the company they want uses a non-obvious domain name. Still another factor that makes this known solution less than effective is that many numeric digits and/or text letters look alike. One classic approach for using numeric digits and text letters for deceitful purposes with respect to falsified identity information is substituting the numeric digit “0” for the upper case letter “O” or numeric digit “1” for lower case letter “L”. In recent days, there are much more sophisticated ruses using Cyrillic characters or Unicode characters. This allows the criminals to have fake domain names that are essentially visually indistinguishable from the real domain names. There is a whole class of software that tries to use blacklist as well as heuristics to identify these fake domain names. But, this software suffers from the problems of network overhead as well as taking time to add rogue domains to the blacklist. Yet another factor that makes this known solution less than effective is that Spam email has grown to be a huge problem. Most filtering efforts have taken the approach of looking at e-mail message content to identity the currently popular Spam topics such as, for example, on-line purchase of prescription medications. State-of-the-art Spam now uses images as well as misspelling to get past these filters.
Recently, an authentication methodology referred to as “EV Certificate” (Extended Validation Certificate) has been introduced. As the name implies, it has the same foundation as the standard (i.e., non-EV) SSL/TLS certificates, but with extra validation. Most of the problems explained above with respect to standard (i.e., non-EV) SSL/TLS certificates still apply. It is believed that EV Certificates will only help track down a perpetrator of fraudulent activity (e.g., phishing) after such fraudulent activity has been perpetrated as opposed to preventing such fraudulent activity. Obviously, the perpetrator is often times a shell entity in an environment with little or no on-line fraud policing budget or interest in policing fraudulent or malicious on-line activities. Accordingly, even though EV Certificates do help in some ways, they don't appear to actually solve the problem of phishing.
Therefore, regardless of whether the network-based communication approach is e-mail, a webpage and/or Instant Messaging, a solution that that overcomes at least a portion of the drawbacks associated with known approaches for combating network-enabled criminal and deceitful activity that is based on falsified or otherwise dishonest identity information would be useful, advantageous and novel.